• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How Safe is Codeigniter Sessions

#1
[eluser]Shiju S S[/eluser]
Quote:I read in a book on Codeigniter that sessions in codeigniter if not safe. Native php should be used to make safer sessions like user authentication. Is it so?

#2
[eluser]WanWizard[/eluser]
Burn the book. Stone the author.

Just kidding. Smile

The issue is that by default, because CI wants to accomodate everyone and everything, CI is configured to use cookie based sessions, and sessions are not encrypted because there is no encryption key set. So if you don't read the documentation, or you ignore what you read, you sessions are NOT safe.

So, what should you do? Simple: follow the docs:
- define a random encryption key in your application/config/config.php
- set "sess_encrypt_cookie" to TRUE
- ideally switch to database sessions("sess_use_database" = TRUE) so no data is send to the browser

If you do so, your sessions will be secure.

#3
[eluser]Shiju S S[/eluser]
I did as you have explained and hope I am safe.
Quote:Book: Professional Codeigniter
Author: Thomas Myer

#4
[eluser]Otemu[/eluser]
I was using that book, bit outdated but still quite useful.

#5
[eluser]WanWizard[/eluser]
I've checked the book.

The author writes:
Quote:Here’s a very important note if you are security conscious. Even if you choose to save CodeIgniter
sessions in a database table, the same data are stored in a client-side cookie. That means that it is
available to the end-user. Even if you use encryption, it is possible to tamper with the cookie and thereby
cause problems. Therefore, in this book (and in your foreseeable CodeIgniter career), only use
CodeIgniter sessions (and flashdata) to store data that are unimportant. If you need to have secure
logins and authentication, use PHP sessions instead.

I've checked this statement against the code (that I have here atm). The oldest CI I have running here is 1.7.2 (over 2 years old), and that only stores 'session_id','ip_address','user_agent' and 'last_activity' in the cookie.

I've went through the book again, and after some digging found that it was written based on CodeIgniter version 1.6.

So my initial remark to burn the book still stands. The author is off the hook though, it's not his fault you're reading a book written for a version of 5 years ago (I know CI's development goes at a snails pace, but even then 5 years is a very long time)...

#6
[eluser]skunkbad[/eluser]
I think it's worth noting that while not impossible, it would certainly be extremely unlikely that somebody could effectively alter the session data stored in a cookie when it is encrypted. They would have to guess or otherwise know your encryption key. If you're using a strong 32 character encryption key, the likelihood that it could be guessed or otherwise known would be extremely low. You're more likely to get hacked in a different way.

I was a long-time native PHP session user, but I finally changed to CI sessions because of what other people here said. I think the most important thing to consider would be ease of scalability because a secure native session is fairly simple to achieve. PHP's native session is normally tied to a single filesystem whereas CI's session is by default living in the client's browser.

#7
[eluser]keevitaja[/eluser]
how much would https add for security?

i have another question as well. i'm building webpage, where users can log in and i have also added option "remember me" to the login system. when it's checked, users do not have to enter their credentials each time they visit the site.

incase "remember me" is checked, i'm storing 32 chr hash both in cookie and special mysql table with user id. when user comes back and these values match, system logges them in as they just entered their username and password at the login prompt. is this apporoach secure?

#8
[eluser]WanWizard[/eluser]
Very little.

SSL encryption will take care of the 'sniffing the wire' issue, and if you're using an official certificate users can be sure to enter your site instead of some phishing site. And such a certificate makes a man-in-the-middle attach a bit more complex. But is does little to protect you from cookie hijacking, as that happens client side.

If you're worried about security, the first thing you should dump is that "remember me" system. Remember me's are inherently insecure. You can make them a bit more secure if you store IP and user agent in your table as well, and verify these first before you check the hash. Otherwise I can steal your cookie, put it on my PC and I'm in. And stealing a cookie is not that difficult. But that will make it useless for people on the move or in a DHCP environment, as the IP address will change (over time).

The only way to have something reasonably secure is to use a client-side certificate that you can validate, and that uniquely identifies the user. That would also take care of the login, so no more manual login needed. But that's an expensive solution unless it's readily available (in this country every citizen has one embedded in the ID card so we use that for secure authentication).

#9
[eluser]keevitaja[/eluser]
how is "remember me" done in codeigniter forums and other sites? with the same logic as i was describing or something more secure?

#10
[eluser]solid9[/eluser]
@keevitaja

try Ion Auth or oAuth Wink

You will learn a lot from them.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.